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Abstract. We associate a graph with a 1-safe Petri net and study the 
parameterized complexity of various problems with parameters derived 
from the graph. With treewidth as the parameter, we give W[l]-hardness 
results for many problems about 1-safe Petri nets. As a corollary, this 
proves a conjecture of Downey et. al. about the hardness of some graph 
pebbling problems. We consider the parameter benefit depth (that is 
known to be helpful in getting better algorithms for general Petri nets) 
and again give W[l]-hardness results for various problems on 1-safe Petri 
nets. We also consider the stronger parameter vertex cover number. Com- 
bining the well known automata-theoretic method and a powerful fixed 
parameter tractability (Fpt) result about Integer Linear Programming, 
we give a Fpt algorithm for model checking Monadic Second Order 
(MSO) formulas on 1-safe Petri nets, with parameters vertex cover num- 
ber and the size of the formula. 

1 Introduction 

Petri nets are popular for modelling because they offer a succinct representa- 
tion of loosely coupled communicating systems. Some powerful techniques are 
available but the complexity of analysis is high. In his lucid survey [8] , Esparza 
summarizes the situation as follows: almost every interesting analysis question 
on the behaviour of general Petri nets is ExPSPACE-hard, and almost every in- 
teresting analysis question on the behaviour of 1-safe Petri nets is PsPACE-hard. 
By considering special subclasses of nets slightly better results can be obtained. 
Esparza points out that T-systems (also called marked graphs) and S-systems 
(essentially sequential transition systems) are the largest subclasses where poly- 
nomial time algorithms are available. We therefore look for a structural parameter 
with respect to which some analysis problems remain tractable. 

Parameterized complexity. A brief review will not be out of place here. Let S be 
a finite alphabet in which instances I E of a problem 77 C U* are specified, 
where 77 is the set of Yes instances. The complexity of a problem is stated in 
terms of the amount of resources — space, time — needed by any algorithm solving 
it, measured as a function of the size |7| of the problem instance. In parame- 
terized complexity, introduced by Downey and Fellows [5], the dependence of 
resources needed is also measured in terms of a parameter k(I) of the input, 
which is usually less than the input size |7|. A parameterized problem is said 



to be fixed parameter tractable (Fpt) if it can be solved by an algorithm with 
running time f(K,(I))poly(\I\) where / is some computable function and poly is 
a polynomial. (Similarly, a ParaPspace algorithm [10] is one that runs in space 
f(K(I))poly(\I\).) 

For example, consider the problem of checking that all strings accepted by 
a given finite state automaton satisfy a given Monadic Second Order (MSO) 
sentence. The size of an instance of this problem is the sum of sizes of the 
automaton and the MSO sentence. If the size of the MSO sentence is considered 
as a parameter, then this problem if Fpt, by Biichi, Elgot, Trakhtenbrot theorem 

There is a parameterized complexity class W[l], lowest in a hierarchy of 
intractable classes called the W-hierarchy [5] (similar to the polynomial time 
hierarchy). A parameterized problem complete for W[l] is to decide if there is 
an accepting computation of at most k steps in a given non-deterministic Turing 
machine, where the parameter is k [5]. It is widely believed that parameterized 
problems hard for W[l] arc not Fpt. To prove that a problem is hard for a 
parameterized complexity class, we have to give a parameterized reduction from 
a problem already known to be hard to our problem. A parameterized reduc- 
tion from (77, k) to (77', k') is an algorithm A that maps problem instances in 
(resp. outside) 77 to problem instances in (resp. outside) 77'. There must be 
computable functions / and g and a polynomial p such that the algorithm A on 
input 7 terminates in time f (n(I))p(\I\) and k'(A(I)) < g(K,(I)), where A(I) is 
the problem instance output by A. 

Results. Dcmri, Laroussinic and Schnoebelen considered synchronized transi- 
tion systems, a form of 1-safe Petri nets [4] and showed that the number of 
synchronizing components (processes) is not a parameter which makes analy- 
sis tractable. Likewise, our first results are negative. All parameters mentioned 
below are defined in Sect. 2. 

— With the pathwidth of the flow graph of the 1-safe Petri net as parameter, 
reachability, coverability, Computational Tree Logic (CTL) and the com- 
plement of Linear Temporal Logic (LTL) model checking problems are all 
W[l]-hard, even when the size of the formula is a constant. In contrast, 
for the class of sequential transition systems and formula size as parameter, 
Biichi's theorem is that model checking for MSO logic is Fpt. 

— As a corollary, we also prove a conjecture of Downey, Fellows and Stege that 
the Signed Digraph Pebbling problem [6, section 5] is W[l]-hard when 
parameterized by treewidth. 

— With the benefit depth of the 1-safe Petri net as parameter, reachability, 
coverability, CTL and the complement of LTL model checking problems are 
W[l]-hard, even when the size of the formula is a constant. 

We are luckier with our third parameter. 

— With the vertex cover number of the flow graph and formula size as param- 
eters, MSO model checking is Fpt. 



Perspective. As can be expected from the negative results, the class of 1-safe 
Petri nets which are amenable to efficient analysis (i.e., those with small vertex 
cover) is not too large. But even for this class, a reachability graph construction 
can be of exponential size, so just an appeal to Biichi's theorem is not sufficient 
to yield our result. 

Roughly speaking, our Fpt algorithm works well for systems which have a 
small "core" (vertex cover), a small number of "interface types" with this core, 
but any number of component processes using these interface types to interact 
with the core (see Fig. 9). Thus, we can have a large amount of conflict and 
concurrency but a limited amount of causality. Recall that S-systems and T- 
systems have no concurrency and no conflict, respectively. Since all we need 
from the logic is a procedure which produces an automaton from a formula, we 
are able to use the most powerful, MSO logic. Our proofs combine the well known 
automata-theoretic method [2, 22, 12] with a powerful result about feasibility of 
Integer Linear Programming (Ilp) parameterized by the number of variables [14, 
13,11]. 

Related work. Drusinsky and Harel studied nondctcrminism, alternation and 
concurrency in finite automata from a complexity point of view [7] . Their results 
also hold for 1-boundcd Petri nets. 

The Signed Digraph Pebbling problem considered by Downey, Fellows 
and Stege [6] can simulate Petri nets. They showed that with treewidth and the 
length of the firing sequence as parameters, the reachability problem is Fpt. 
They conjectured that with treewidth alone as parameter, the problem is W[l]- 
hard. 

Fellows et al showed that various graph layout problems that are hard with 
treewidth as parameter (or whose complexity parameterized by treewidth is not 
known) are Fpt when parameterized by vertex cover number [9]. They also used 
tractability of Ilp and extended feasibility to optimization. 

Acknowledgements. We thank the anonymous CONCUR referees for providing 
detailed comments that helped in improving the presentation. 

2 Preliminaries 
2.1 Petri nets 

A Petri net is a 4-tuple N = (P,T, Pre, Post), P a set of places, T a set of 
transitions, Pre : P x T — > {0,1} (arcs going from places to transitions) and 
Post : P x T — > {0, 1} (arcs going from transitions to places) the incidence 
functions. A place p is an input (output) place of a transition t if Pre(p,t) = 1 
(Post(p,t) = 1) respectively. We use *t (t*) to denote the set of input (output) 
places of a transition t. In diagrams, places are shown as circles and transitions 
as thick bars. Arcs are shown as directed edges between places and transitions. 

Given a Petri net J\f, we associate with it an undirected flow graph G(J\f) = 
(P,E) where (pi,P2) & E iff for some transition t, Pre(pi,t) + Post(p\,t) > 1 



and Pre{p2 1 t) + Post(p2,t) > 1. If a place p is both an input and an output 
place of some transition, the vertex corresponding to p has a self loop in G(Af). 

A marking M : P — > N can be thought of as a configuration of the Petri 
net, with each place p having M(p) tokens. We will only deal with 1-safe Petri 
nets in this paper, where the range of markings is restricted to {0, 1}. Given a 
Petri net J\f with a marking M and a transition t such that for every place p, 
M(p) > Pre(p,t), the transition t is said to be enabled at M and can be fired 
(denoted M M 1 ) giving M'(p) — M{p) — Pre{p 1 t) + Post(p,t) for every 
place p. This is generalized to a firing sequence M =k- Mi ==> ■ ■ ■ =^> M r , more 
briefly M * lt2 " tr > M r . A firing sequence p enabled at Mq is said to be maximal 
if it is infinite, or if Mq =^> M and no transition is enabled at M. 

Definition 1 (Reachability, coverability) . Given a 1-safe Petri net M with 
initial marking M and a target marking M : P — > {0, 1} 7 the reachability prob- 
lem is to decide if there is a firing sequence p such that Mq ==>■ M . The cov- 
erability problem is to decide if there is a firing sequence p and some marking 
M' : P -> {0, 1} such that M M' and M'(p) > M(p) for every place p. 

2.2 Logics 

Linear Temporal Logic (LTL) is a formalism in which many properties of tran- 
sition systems can be specified [8, section 4.1]. We use the syntax of [8], in 
particular the places P are the atomic formulae. The LTL formulas are inter- 
preted on runs, sequences of markings ir = M Mi ■ ■ ■ from a firing sequence of a 
1-safe Petri net. The satisfaction of a LTL formula <j) at some position j in a run 
is defined inductively, in particular tt, j |= p iff Mj(p) = 1. Much more expressive 
is the Monadic Second Order (MSO) logic of Biichi [2], interpreted on a maximal 
run MqM\ • • • , with tt, s \= p(x) iff M s ( x )(p) = 1 under an assignment s to the 
variables. Boolean operations, first-order and monadic second-order quantifiers 
are available as usual. 

Computational Tree Logic (CTL) is another logic that can be used to specify 
properties of 1-safe Petri nets. The reader is referred to [8, section 4.2] for details. 

Definition 2 (Model checking). Given a 1-safe Petri net J\f with initial 
marking M and a logical formula 4>, the model checking problem (for that logic) 
is to decide if for every maximal firing sequence p, the corresponding maximal 
run 7r satisfies n, |= <f>. 

Reachability, coverability and LTL model checking for 1-safe Petri nets are 
all PsPACE-complete [8]. Habermehl gave an automata-theoretic model checking 
procedure for Linear Time ^-calculus on general Petri nets [12]. 

2.3 Parameters 

The study of parameterized complexity derived an initial motivation from the 
study of graph parameters. Many Np-complctc problems can be solved in poly- 
nomial time on trees and are Fpt on graphs that have tree-structured decom- 
positions. 



Definition 3 (Tree decomposition, treewidth, pathwidth). A tree decom- 
position of a graph G = (V,E) is a pair (T, (B T ) Tenodes ^- ) ), where T is a tree 
and {B T ) T£nodes ^ is a family of subsets ofV such that: 

— For all v G V, the set {t G nodes (T) \ v E B T } is nonempty and connected 
in T ■ 

— For every edge (v\,V2) G E, there is a r G nodes (T) such that Vi,V2 G B T . 

The width of such a decomposition is the number max{|_B T | r G nodes (T)} — 1. 
The treewidth tw(G) of G is the minimum of the widths of all tree decomposi- 
tions of G. If the tree T in the definition of tree decomposition is a path, we get 
a path decomposition. The pathwidth pw(G) of G is the minimum of the widths 
of all path decompositions of G. 

From the definition, it is clear that pathwidth is at least as large as treewidth 
and any problem that is W[l]-hard with pathwidth as parameter is also W[l]- 
hard with treewidth as parameter. A fundamental result by Courcelle [3] shows 
that graphs of small treewidth are easier to handle algorithmically: checking 
whether a graph satisfies a MSO sentence is Fpt if the graph's treewidth and 
the MSO sentence's length are parameters. In our context, the state space of a 
concurrent system can be considered a graph. However, due to the state explo- 
sion problem, the state space can be very large. Instead, we impose treewidth 
restriction on a compact representation of the large state space — a 1-safe Petri 
net. Note also that we are not model checking the state space itself but only the 
language of words generated by the Petri net. 

Definition 4 (Vertex cover number). A vertex cover VC C V of a graph 
G = (V, E) is a subset of vertices such that for every edge in E, at least one of 
its vertices is in VC. The vertex cover number of G is the size of a smallest 
vertex cover. 

Definition 5 (Benefit depth [18]). The set of places ben(p) benefited by a 

place p is the smallest set of places (including p) such that any output place of 
any output transition of a place in ben(p) is also in ben(p). The benefit depth 
of a Petri net is defined as max p6 p{|6en(p)|}. 

Benefit depth can be thought of as a generalization of the out-degree in di- 
rected graphs. For a Petri net, we take vertex covers of its flow graph G(Af). 
Any vertex cover of G(J\f) should include all vertices that have self loops. It was 
shown in [18, 17] that benefit depth and vertex cover number bring down the 
complexity of coverability and boundedness in general Petri nets from exponen- 
tial space-complete [19] to ParaPspace. 

3 Lower bounds for 1-safe Petri nets and pebbling 
3.1 1-safe Petri nets, treewidth and pathwidth 

Here we prove W[l]-hardness of reachability in 1-safe Petri nets with the path- 
width of the flow graph as parameter, through a parameterized reduction from 



the parameterized Partitioned Weighted Satisfiability (p-Pw-SAT) problem. The 
primal graph of a propositional CNF formula has one vertex for each propositional 
variable, and an edge between two variables iff they occur together in a clause. 
An instance of p-Pw-SAT problem is a triple (J 7 , part : <P — > {1, . . . , k}, tg : 
{1, . . . , fc} — > N), where J 7 is a propositional CNF formula, part partitions the 
set of propositional variables <P into k parts and we need to check if there is 
a satisfying assignment that sets exactly tg(r) variables to T in each part r. 
Parameters are k and the pathwidth of the primal graph of T . We showed in an 
earlier paper that p-Pw-SAT is W[l]-hard when parameterized by the number 
of parts k and the pathwidth of the primal graph [16, Lemma 6.1]. 

Now we will demonstrate a parameterized reduction from p-Pw-SAT to reach- 
ability in 1-safe Petri nets, with the pathwidth of the flow graph as parameter. 
Given an instance of p-Pw-SAT, let qi, . . . , q n be the variables used. Construct 
an optimal path decomposition of the primal graph of the CNF formula in the 
given p-Pw-SAT instance (doing this is Fpt [1]). For every clause in the CNF 
formula, the primal graph contains a clique formed by all variables occurring 
in that clause. There will be at least one bag in the path decomposition of the 
primal graph that contains all vertices in this clique [5, Lemma 6.49]. Order the 
bags of the path decomposition from left to right and call the clause whose clique 
appears first C\ , the clause whose clique appears second as C2 and so on. If more 
than one such such clique appear for the first time in the same bag, order the 
corresponding clauses arbitrarily. Let C\ , . . . , C m be the clauses ordered in this 
way. We will call this the path decomposition ordering of clauses, and use it to 
prove that the pathwidth of the flow graph of the constructed 1-safe Petri net 
is low (Lemma 7). For a partition r between 1 and k, we let n[r] be the number 
of variables in r. Following are the places of our 1-safe Petri net. 

1. For every propositional variable g, used in the given p-Pw-SAT instance, 
places qi,Xi,Xi. 

2. For every partition r between 1 and k, places tt r , ft r , tv,®, ■ . . , tu r 9 ^ and 

3. For each clause Cj, a place Cj. Additional places C m +i, s, g. 

The construction of the Petri net is illustrated in the following diagrams. 
The notation part(i) stands for the partition to which belongs. Intuitively, 
the truth assignment of qi is determined by firing tj or fi in Fig. 1. The token in 
Xi/l£i is used to check satisfaction of clauses later. The token in t j [ part ^ / f^P art ( l ) 
is used to count the number of variables set to T/_L in each part, with the part 
of the net in Fig. 2. For each clause Cj between 1 and m, the part of the net 
shown in Fig. 3 is constructed. In Fig. 3, it is assumed that Cj = qi V q~2 V qy,. 
Intuitively, a token can be moved from place Cj to Cj + \ iff the clause Cj is 
satisfied by the truth assignment determined by the firings of U/fi for each i 
between 1 and n. The net in Fig. 4 checks that the target has been met in all 
partitions. 

The initial marking of the constructed net consists of 1 token each in the 
places qi, . . . , q n , s, tuf, . . . , fi\, . . . ,fi® and Ci, with tokens in all other 
places. The final marking to be reached has a token in the places s and g. 
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Fig. 1. Part of the net for each variable qi 
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Fig. 2. Part of the net for each part r between 1 and k 

Lemma 6. Given a p-Pw-SAT instance, constructing the Petri net described 
above is Fpt. The constructed Petri net is l-safe. The given instance o/p-Pw- 
Sat is a Yes instance iff in the constructed l-safe net, the required final marking 
can be reached from the given initial marking. 

Proof. The only non-trivial process in the construction of the Petri net is com- 
puting an optimal path decomposition of the primal graph of the CNF formula in 
the given p-Pw-SAT instance. Doing this is Fpt and the rest of the construction 
can be done in polynomial time. It is not difficult to see that the constructed 
net is l-safe. 

Suppose the given instance of p-Pw-SAT is a Yes instance. Starting with 
i = 1, repeat the following firing sequence for each i between 1 and n. If qi 
is T in the witnessing satisfying assignment, fire ti else fire fi. Then use the 




Fig. 3. Part of the net for each clause Cj 
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Fig. 4. Part of the net to check that target has been met 



token thus put into t-\ part ^ //fP art M respectively to shift a token one place to 
the right in Fig. 2 and put a token back in the place s. Continue with the next 
i. Since the witnessing assignment meets the target in each partition, we will 

tg(l) , tg(k) ,n[l]-t S (l) 



r n[k]-tg(k) 
■ ' J l k 



have one token each in the places tuf KL> , . . . , tu k 9 ^ k \ 
In addition, there will be a token in Xi jxi iff the witnessing assignment set qi to 
T/_L respectively. Since this witnessing assignment satisfies all the clauses of the 
CNF formula, we can move the initial token in C\ to C m +i using the transitions 
in Fig. 3. Now, the transition in Fig. 4 can be fired to get a token into the place 
g. Now, the only tokens left are those in the places s and g, and those in Xi/Wi. 
We can remove the tokens in Xi/xi by firing tdi/ fdi to reach the final marking. 

Suppose the required final marking is reachable in the constructed Petri 
net. Since a token has to be added to the place g to reach the final marking 
and the transition in Fig. 4 is the only transition that can add tokens to g, 
all input places of that transition must receive a token. The only way to get a 
token in places tu r 9 ^ is to shift the initial token in the place tg(r) times. 
This requires exactly tg(r) tokens in the place t-f . A similar argument holds 



for getting a token in fi 



-tg(r) 



Since the only way to add a token to tf / ' f\ r 



is to fire transitions U/ fi (such that part(i) — r), the only way to get a token 



each in tu\ 9 ^\ . . . ,tu^ k \ /j"' 1 ' - * 3 ^, . . . , j;™[ fc l~*»( fc ) i s to fire either fj or /; for 
each i between 1 and n. Consider any firing sequence reaching the required 
final marking. Consider the truth assignment to q\,...,q n that assigns T to 
exactly those variables qi such that ij was fired in the firing sequence. This truth 
assignment meets the target for each part since this firing sequence adds one 
token each to the places tu\ a{1 \ . . .,tuf k \fif 1] ~ ta{1 \. . . , f^ k ^ k \ To reach 
the final marking, a token is also required at the place C m+ \. The only way to 
get this token is to shift the initial token in C\ to C m+ i through the transitions 
in Fig. 3. This means that every clause is satisfied by the truth assignment we 
constructed. □ 

It remains to prove that the pathwidth of the flow graph of the constructed 
1-safc net is a function of the parameters of the p-Pw-SAT instance. 

Lemma 7. Suppose a given instance of p-Pw-SAT has a CNF formula whose 
primal graph has pathwidth pw and k parts. Then, the flow graph of the 1-safe 
net constructed as described above has pathwidth at most 3pw + 4fc + 7. 

Proof. We show a path decomposition of the flow graph of the net. Call the set of 

places { a , 5) C7 m+1 ,itV..,*t fc ,/t 1 ,... ,M*u? (1) './if 1 ""' 1 ' 

y ; n[fc]-ts(fc) j as p i Congidej- an optimal path decomposition of the primal graph 
of the CNF formula. In every bag, replace every occurrence of each q t by the set 
{qi,Xi,Xi} UPi. 

Let C\ , . . . , C m be the clauses in the path decomposition order as explained 
in the beginning of this sub-section. We will first show that places representing 
clauses can be added to the bags of the above decomposition without increasing 
their size much, while maintaining the invariant that all bags containing any one 
place are connected in the decomposition. We will do this by augmenting existing 
bags with new elements: if B is any bag in the decomposition and p is an element 
not in B, augmenting B with p means creating a new bag B' immediately to 
the left of B containing p in addition to the elements in B. We will call the 
new bag B' thus created an augmented bag. Perform the following operation in 
increasing order for each j between 1 and to: if B is the first non-augmented bag 
from left to contain all literals of the clause Cj , augment B with Cj . 

There will be to new bags created due to the above augmentation steps. Due 
to the path decomposition ordering of C\, . . . , C m , the augmented bag containing 
Cj+i occurs to the right of the augmented bag containing Cj for each j, 1 < 
j < m. There might be some non-augmented bags between the augmented bags 
containing Cj and Cj + \. If so, add Cj to such non-augmented bags. Now, to 
every bag, if it contains Cj for some j between 1 and to, add C^+i. It is routine 
to verify the following properties of the sequence we have with the bags modified 
as above. 

— Each bag has at most 3pw + 4fc + 8 elements. 

— The set of bags containing any one element forms a contiguous sub-sequence. 

— Every vertex and edge in any subgraph induced by the parts of the net in 
Fig. 1, Fig. 3, and Fig. 4 is contained in some bag. 



To account for the subgraph induced by the parts of the net in Fig. 2, we append 
the following sequence of bags for each r between 1 and k: 

{{tu^tuljUPx) - (04,t^}uPi) ({t«* fl ( r )- 1 ,t4»( r >}uPi)- 

({fi° r , ft} U P) - ({filfil} U Pi) ({/CH-<^-\ /,»M-*»W} u P) 

The resulting sequence of bags is a path decomposition of the flow graph of the 
Petri net, whose width is at most 3pw + 4fc + 7. □ 

In the above reduction, it is enough to check if in the constructed 1-safe net, we 
can reach a marking that has a token at the place g. This can be expressed as 
reachability, coverability etc. Hence we get: 

Theorem 8. With the pathwidth (and hence treewidth also) of the flow graph of 
a 1-safe Petri net as parameter, reachability, coverability, CTL model checking 
and the complement of LTL/MSO model checking (with formulas of constant 
size) are W[l] -hard. 

3.2 Graph pebbling problems, treewidth and pathwidth 

The techniques used in the above lower bound proof can be easily translated 
to some graph pebbling problems [6]. As conjectured in [6, section 5], we prove 
that Signed Digraph Pebbling I, parameterized by treewidth is W[l]-hard. 
An instance of this problem has a bipartite digraph D = (V, A) for which the 
vertex set V is partitioned V = RedU Blue, and also the arc set A is partitioned 
into two partitions A = A + U A~ . The problem is to reach the finish state where 
there are pebbles on all the red vertices, starting from a start state where there 
are no pebbles on any of the red vertices, by a series of moves of the following 
form: 

— If b is a blue vertex such that for all s such that (s, b) G A + , s is pebbled, 
and for all s such that (s,b) G A~ , s is not pebbled (in which case we say 
that b is enabled), then the set of vertices s such that (b, s) G A + are reset by 
making them all pebbled, and the set of all vertices s such that (b, s) G A~ 
are reset by making them all unpebbled. 

Corollary 9. Parameterized by pathwidth (and hence by treewidth also), Signed 
Digraph Pebbling is W[l]-hard. 

Proof. To reduce p-Pw-SAT to Signed Digraph Pebbling, we first reduce the 
given p-Pw-SAT instance to a 1-safe net as shown in Lemma 6. From this 1-safe 
net, construct an instance of Signed Digraph Pebbling as follows. Let the 
set of all places form the set of vertices Red and the set of all transitions form 
the set of vertices Blue. The arcs of the Signed Digraph Pebbling instance 
are as follows. 

1. If Pre(p, t) = 1 in the 1-safe net, draw an A + arc from p to t in the Signed 
Digraph Pebbling instance. 



2. If Pre{p, t) = 1 and Post(p, t) = 0, draw an A arc from t to p. 

3. If Pre(p, t) = and Post(p, t) = 1, draw an A + arc from t to p. 

Suppose that in the 1-safe net, Mi =^=> M 2 . It is clear that the constructed 
Signed Digraph Pebbling instance in the state where precisely those red 
vertices are pebbled that have a token in M\ enables the blue vertex t, and can 
move to the state where precisely those red vertices are pebbled that have a 
token in M 2 . Add a special blue vertex b\ with A + arcs from b\ to qi, q 2 , . . . , q n , 
tul, . . . , tu°, /;",..., /z°, Ci and s. Add A~ arcs from all red vertices to b\. In 
the start state where there no pebbles at all, b\ is the only blue vertex enabled. 
The blue vertex b\ is enabled only in the start state. Upon performing the legal 
move using b\ from the start state, we will reach a state in which precisely those 
red vertices are pebbled that have a token in the initial marking of the 1-safe 
net. From this state, there is at least one pebbled red vertex in any reachable 
state, so bi is never enabled again. From this state, we can reach a state with 
the red vertex g pebbled iff the given p-Pw-SAT instance is a Yes instance. Add 
another special blue vertex b 2 with an A + arc from the red vertex g to b 2 . Add 
A + arcs from b 2 to all red vertices. All blue vertices except 61 and b 2 unpcbblc 
at least one red vertex. Hence, the only way to reach the finish state (where 
all red vertices must be pebbled) from the start state is to enable b 2 . The only 
way to enable b 2 is to reach a state where the red vertex g is pebbled. Hence, 
the constructed Signed Digraph Pebbling instance is a Yes instance iff the 
given p-Pw-SAT instance is a Yes instance. 

To complete the reduction, it only remains to show that the pathwidth of the 
Signed Digraph Pebbling instance is bounded by the pathwidth of the flow 
graph of the intermediate 1-safe net. Consider an optimal path decomposition of 
this flow graph. For every transition t, the set of all input and output places of 
t forms a clique in the flow graph. Hence, there will be at least one bag B in the 
path decomposition containing all these places. Create an extra bag B' adjacent 
to B containing all elements of B and also the blue vertex corresponding to 
t. After doing this for each transition, add the vertices b\ and b 2 to all bags. 
The resulting decomposition is a path decomposition of the Signed Digraph 
Pebbling instance. Its width is at most 3 more than the pathwidth of the flow 
graph of the 1-safe net. □ 

3.3 1-safe Petri nets and benefit depth 

Here we show that the parameter benefit depth is not helpful for 1-safc Petri nets, 
by showing W[l]-hardness using a parameterized reduction from the constraint 
satisfaction problem (Csp). 

Theorem 10. With benefit depth as the parameter in 1-safe Petri nets, reach- 
ability, coverability, CTL model checking and the complement of the LTL/MSO 
model checking problems, even with formulas of constant size, are W[l]-hard. 

The rest of this section is devoted to a proof of the above theorem. To show that 
with benefit depth as parameter, reachability in 1-safe nets is W[l]-hard, we 
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Fig. 5. Part of the net for every variable qi and domain value d 

will show a Fpt reduction from the constraint satisfaction problem (Csp). With 
the size of the domain dom and the maximum number of constraints in which 
any one variable can occur (called degree) deg as parameters, Csp is W[l]-hard 
[21, Corollary 2]. Given an instance of Csp with domain size dom, degree deg, n 
variables and to constraints, we construct a 1-safe net with the following places. 

1. For every variable qi, a place qi. 

2. For every constraint Cj where j is between 1 and to, a place Cj. 

3. For every i between 1 and n, for every domain element d between 1 and dom, 
for every constraint Cj in which % appears, the place q[i]j. 

4. One place g for checking that all constraints are satisfied. 

We assume without loss of generality that every variable occurs in at least one 
constraint. Construction of the 1-safe net is illustrated in the following diagrams. 
For every variable qi and domain value d (between 1 and dom), part of the net 
shown in Fig. 5 is constructed. Intuitively, the transition tf is fired to assign 
domain value d to qi. In Fig. 5, the set of places labelled by q[i]f should be 
understood to stand for the set of places {q[i}j | qi occurs in constraint Cj}. 
The set of transitions labelled t[i]% should be similarly understood. 

For every constraint Cj and every admissible tuple of domain values for Cj , 
part of the net shown in Fig. 6 is constructed. In Fig. 6, it is assumed that the 
constraint Cj consists of variables q\, qi and q-$ and that (3, 5, 6) is an admissible 
tuple for this constraint. Finally, the part of the net in Fig. 7 verifies that all 
constraints are satisfied. The initial marking has 1 token each in each of the places 
q\,...,q n and tokens in all other places. The final marking to be reached is 1 
token at the place g and tokens in all other places. 

Lemma 11. Given a CSP instance of domain size dom and degree deg, the 
benefit depth of the 1-safe net constructed above is at most 2 + deg (dom + 1). 
The given CSP instance is satisfiable iff the required final marking is reachable 
from the initial marking in the constructed 1-safe net. 
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Fig. 6. Part of the net for every constraint Cj and every admissible tuple 
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Fig. 7. Part of the net to check that all constraints are satisfied 



Proof. Maximum number of places are benefited by some place in {qi, . . . , q n }. 
Any place qi can benefit itself, the place g, the set of places {q[i]j | 1 < d < 
dom, qi occurs in Cj} and at most deg places among {C\, . . . , C m }. This adds 
up to at most 2 + deg(dom + 1 ). 

Suppose the given Csp instance is satishable. For each variable qi, if d is the 
domain value assigned to qi by the satisfying assignment, fire the transition tf 
shown in Fig. 5. Since the satisfying assignment satisfies all the constraints, the 
transitions shown in Fig. 6 can be fired to get a token into each of the places 
Ci, . . . ,C m . Then the transition shown in Fig. 7 can be fired to get a token 
in the place g. Any tokens remaining in places q[i]i can be removed by firing 
transitions t[i]^ shown in Fig. 5. Now, the token in the place g is the only token 
in the entire net and this is the final marking required to be reached. 

Suppose the required final marking is reachable in the constructed 1-safe 
net. Consider any firing sequence reaching the required final marking. Since the 
final marking needs a token in the place g and the only transition that can add 
token to g is the one shown in Fig. 7, the firing sequence fires this transition. 
For this transition to be enabled, a token needs to be present in each of the 
places Ci, . . . , C m . These tokens can only be added by firing transitions shown 
in Fig. 6. To fire these transitions, tokens needs to be present in the places q[i\i- 
To generate these tokens, the firing sequence would have to fire some transition 



tf for each i between 1 and n. Consider the assignment that assigns domain 
value d to iff the firing sequence fired tf. By construction, this assignment 



Since the f-safe net described above can be constructed in time polynomial 
in the size of the given Csp instance, Lemma 11 shows that this reduction 
is a parameterized reduction from Csp (with dom and deg as parameters) to 
reachability in 1-safe nets (with benefit depth as the parameter). In the above 
reduction, it is enough to check if in the constructed 1-safe net, we can reach a 
marking that has a token at the place g. This can be expressed as reachability, 
coverability etc. This proves Theorem 10. 

4 Vertex cover and model checking 1-safe Petri nets 

In this section, we will show that with the vertex cover number of the flow graph 
of the given 1-safe Petri net and the size of the given LTL/MSO formula as 
parameters, checking whether the given net is a model of the given formula is 
Fpt. With vertex cover number as the only parameter, we cannot hope to get 
this kind of tractability: 

Proposition 12. Model checking LTL (and hence MSO) formulas on 1-safe 
Petri nets whose flow graph has constant vertex cover number is Co-Np-hard. 

Proof. We give a reduction from the complement of propositional logic satis- 
fiability problem. Let J" be a propositional formula over variables qi , . . . , q n . 
Consider the 1-safe net shown in Fig. 8. The initial marking consists of 



tokens in g 2 and 1 token each in all other places. The flow graph of A/jr has a 
vertex cover of size 2 ({gi, 52})- Every marking M reachable in A/jr defines an 
assignment to the variables used in T: qi = T iff M(q^) = 1. Every assignment 
can be represented by some reachable marking in this way. We claim that T is 
not satisfiable iff Mj= is a model of the LTL formula ->(T Until T). If J 7 is not 



satisfies all constraints. 



□ 




Fig. 8. The net Mt associated with a propositional formula T 



satisfiable, then none of the markings reachable in Afj? satisfies T . Hence, Mj= is 
a model of the LTL formula -i(T Until J 7 ). On the other hand, if A/jf is a model 
of -i(T Until J-) 1 then none of the markings reachable in A/jf satisfies T . Hence, 
T is not satisfiable. □ 

Since a run of a 1-safe net M with set of places P is a sequence of subsets 
of P, we can think of such sequences as strings over the alphabet &(P) (the 
power set of P). It is known [2, 22] that with any LTL or MSO formula </>, we can 
associate a finite state automaton A$ over the alphabet S^{P) accepting the set 
of finite strings which are its models, as well as a finite state Biichi automaton 
Brf, accepting the set of infinite string models. 

Figure 9 shows the schematic of a simple manufacturing system modelled as 
a 1-safe Petri net. Starting from pi, it picks up one unit of a raw material a 
and goes to p 2 , then picks up raw material /?, then 7. Transition t\ does some 
processing and then the system starts from pi again. Suppose we want to make 
sure that whenever the system picks up a unit of raw material [3, it is processed 
immediately. In other words, whenever the system stops at a marking where no 
transitions are enabled, there should not be a token in p 3 . This can be checked 
by verifying that all finite maximal runs satisfy the formula Vx((Vy y < x) => 
-ip3(x)). The satisfaction of this formula depends only on the number of units 
of raw materials a, /3 and 7 at the beginning, i.e., the number of tokens at the 
initial marking. The naive approach of constructing the whole reachability graph 
results in an exponentially large state space, due to the different orders in which 
the raw materials of each type can be drawn. If we want to reason about only the 
central system (which is the vertex cover {pi,P2,P3,P4} in the above system), 
it turns out that we can ignore the order and express the requirements on the 
numbers by integer linear constraints. 

Suppose VC is a vertex cover for G(Af). We use the fact that if vi,v 2 ^ VC 
are two vertices not in VC that have the same set of neighbours, V\ and v 2 have 
similar properties. This has been used to obtain Fpt algorithms for many hard 
problems (e.g. [9]). The following definitions formalize this. 

Definition 13. Let VC be a vertex cover ofG{N). The (VC-) neighbourhood 

of a transition t is the ordered pair (*tP\VC, t'DVC). We denote by I the number 
of different VC -neighbourhoods. 

Definition 14. Suppose M is a Petri net with I neighbourhoods for vertex cover 
VC, and p ^ VC. The (VC-) interface int[p] of p is defined as the function 
int[p] : {1, . . . , /} — > ^({ — 1, 1}), where for every j between 1 and I and every 
w G {1, —1}, there is a transition tj of VC -neighbourhood j such that w = 
-Pre(p,tj) + Post(p,tj) iffwe int[p](j). 

In the net in Fig. 9 with VC — {pi,P2>P3>P4}i all transitions labelled a have the 
same VC-neighbourhood and all the corresponding places have the same VC- 
interface. Since there can be 2k arcs between a transition and places in VC if 
\VC\ = k, there can be at most 2 2k different VC-ncighbourhoods of transitions. 
There are at most 4 2 VC-interfaces. The set of interfaces is denoted by Int. 




Fig. 9. An example of a system with small vertex cover 

Proposition 15. Let Af be a 1-safe net with VC being a vertex cover ofG(Af). 
Let pi,p2, ■ ■ ■ ,Pi be places not in the vertex cover, all with the same interface. 
Let M be some marking reachable from the initial marking of N . If M(pj) = 1 
for some j between 1 and i, then M does not enable any transition that adds 
tokens to any of the places pi , . . . , Pi . 

Proof. Suppose there is a transition t enabled at M that adds a token to pj> for 
some j' between 1 and i. Then there is a transition t 1 with the same neighbour- 
hood as t (and hence enabled at M too) that can add a token to pj. Firing t' 
from M will create 2 tokens at pj, contradicting the fact that W is 1-safe. □ 

If the initial marking has tokens in many places with the same interface, then no 
transition can add tokens to any of those places until all the tokens in all those 
places are removed. Once all tokens are removed, one of the places can receive 
one token after which, no place can receive tokens until this one is removed. 
All these places have the same interface. Thus, a set of places with the same 
interface can be thought of as an initial storehouse of tokens, after depleting 
which it can be thought of as a single place. However, a formula in our logic can 
reason about individual places, so we still need to keep track of individual places 
that occur in the formula. 

Proposition 16. Let AT be a 1-safe net and (f> be an MSO formula. Let P^ C P 
be the subset of places that occur in (f>. Let it — MqM\ ■ ■ ■ and it' — MqM[ ■ ■ ■ 
be two finite or infinite runs of N such that for all positions j of it and for all 
p E Pfj,, Mj(p) — Mj(p). For any assignment s, we have tt, s \= (fi iff it' , s \= (f). 



Proof. By a straightforward induction on the structure of <j>. 



□ 



Let M be a 1-safe net such that G(Af) has a vertex cover VC of size k. Suppose 
<f> is a formula and we have to check if M satisfies <f>. For each interface /, let Pj C 
P be the places not in VC with interface I. If P] \P$ ^ (i.e., if there are places 
in Pi that are not in <j>), designate one of the places in Pi\P<p as pj. Define the set 
of special places S = VCL)P ( / > \J{pi £ Pi\P<p | I is an interface and Pj \P ( / > ^ 0}. 
Note that |<S| < k + \<f>\ + 4 22k . Since this number is a function of the parameters 
of the input instance, we will treat it as a parameter. 

We need a structure that keeps track of changes in places belonging to S, 
avoiding a construction involving all reachable markings. This can be done by a 
finite state machine whose states are subsets of S. Transitions of the Petri net 
that only affect places in <S can be simulated by the finite state machine with 
its usual transitions. To simulate transitions of the net that affect places outside 
S, we need to impose some conditions on the number of times transitions of the 
finite state machine can be used. The following definition formalizes this. For a 
marking M of TV, let M\S = {p £ S | M(p) = 1}. 

Definition 17. Given a l-safe net M with initial marking Mq and S defined 
from (j) as above, the edge constrained automaton A^f = {Qmi ^> <W? M > ^V) 
is a structure defined as follows. Q_v = &{S) and S = Int U {_!_} (recall that 
Int is the set of interfaces in J\f). The transition relation S C Qj^ x £ x Qj^/ 
is such that for all P\,P2 Q S and I G Int U {T}, (Pi,I,P 2 ) £ 5 iff there are 
markings Mi,M 2 and a transition t of M such that 

- Mi \S = Pi, M 2 \S = P 2 and Mi ^ M 2 , 

— t removes a token from a place p £ Pj\S of interface I if I £ Int and 

- t does not have any of its input or output places in P\S if I = T. 

The edge constraint u : Int — > N is given by u(I) = \{p £ Pj\S \ M (p) = 1}\. 
A subset Pi C S is in F^f iff for every marking M with M\S = Pi, the only 
transitions enabled at M remove tokens from some place not in S. 

Intuitively, the edge constraint u defines an upper bound on the number of times 
those transitions can be used that reduce tokens from places not in S. 

Definition 18. Let Am be an edge constrained automaton as in Def. 17 and let 
it = PqPi ■ ■ ■ be a finite or infinite word over 2?{S). Then ir is a valid run of 
Aj\f iff for every position j > 1 of ir, we can associate an element Ij £ £ such 
that 

— for every position j > 1 of it, (Pj-i, Ij, Pj) £ S and 

- for every I £ Int, \{j > 1 | Ij = I}\ < u(I). 

— if tt is finite and Pj is the last element of it, then Pj £ F^f and for every 
interface I £ Int and marking Mj \S = Pj enabling some transition that 
removes tokens from some place in Pj\S, \{j > 1 | Ij = I}\ = u(I). 

Next we have a run construction lemma. 



Lemma 19. Let Af be a 1-safe net with initial marking M , </> be a formula and 
Am be as in Def. 17. For every infinite (maximal finite) run tt = MqM\ ■ ■ ■ 
of Af ', there exists an infinite (finite) run tt' = MqM[--- such that the word 
(Mq \S)(M[ \S) ■ ■ ■ is a valid run of Am and for every position j of it, M'- \P ( p = 
Mj\P ( j > . If an infinite (finite) word tt = PqPi ■ ■ • over 3?(S) is a valid run of 
Am and P = M \S, then there is an infinite (finite maximal) run M Mi ■ ■ ■ of 
Af such that Mj \S = Pj for all positions j of tt. 

Proof. Let tt = MqMi ■ ■ ■ be an infinite or a maximal finite run of Af. For every 
interface I G Int, perform the following steps: if for some marking M in the 
above run, {p G P] \ M(p) = 1} = 0, let Mj be the first such marking. By 
Prop. 15, no transition occurring before Mj will add any token to any place 
in Pj. If there is any transition occurring after Mj that adds/removes tokens 
from Pj \ S, replace it with another transition with the same neighbourhood 
that adds/removes tokens from pj. By Prop. 15, such a replacement will not 
affect any place in P^ and the new sequence of transitions is still enabled at 
Mq. After performing this process for every interface / G Int, let the new run 
be tt' = MqM[ ■ ■ ■ . By construction, we have Mj [P^ = Mj [P^, for all positions 
j > of 7T. If 7r is a maximal finite run, so is n' . 

Now we will prove that the word (M( 3 \S)(M' 1 \S) ■ ■ ■ is a valid run of Am- 
Suppose the sequence of transitions producing the run tt' is M ==^> M[ 
M' 2 ■ ■ ■ . For each position j > 1 of this run, define Ij G E as follows: 

— if tj has all its input and output places among places S, let Ij = _L. 

— if tj removes a token from some place in Pj \ S for some interface /, let 
Ij = I. Due to the way ir' is constructed, this kind of transition can only 
occur before the position of Mj and the number of such occurrences is at 
most \{p G Pj \ S | M (p) = 1}| = u(I). 

Due to the way it' is constructed, there will not be any transition that adds tokens 
to any place in Pj \ S for any interface I. By definition, it is clear that for every 
position j > 1 of tt', (M'j^^S ', Ij , M'j\S) G 5m ■ In addition, for every interface 
/ G Int, we have \{j > 1 | Ij = I}\ < u(I). Hence, the word (M^S)(M[ \S) ■ ■ ■ 
is a valid run of Am if the word is infinite. If tt' is finite, suppose M' r is the 
last marking of the sequence tt' . Suppose for some variety / G Int, there is 
some marking M such that M\S = M' r \S and M enables some transition t 
that removes tokens from some place in Pj \ S. Since M' r does not enable any 
transition, all transitions (including t) removing tokens from some place in Pj \S 
are disabled in M' r . This means that every place in Pj \ S that had a token in 
M has lost its token in M' r . Since such loss of tokens can only happen by firing 
transitions that remove tokens from places in Pj\S, we have \{j > 1 | Ij = I}\ = 
u(I). Hence, to prove that {M^\S)(M[ \S) ■ ■ ■ (M' r \S) is a valid run of Am, it is 
left to show that M' r G Fm- To see that this is true, observe that if some marking 
M with M\S — M' r enables a transition that does not remove any token from 
P\S, then so does M' r , a contradiction. 

Next, suppose tt — PqP\ ■ ■ ■ is an infinite or finite word that is a valid run 
of Am such that P = M \S. For every position j > 1 of tt, there are Ij G 



IntU{±.}, transition t'j and markings Mj_ 1 and Mj such that (Pj-i, Ij, Pj) G 5j\f, 
Mj_ 1 Mj, Mj_! [5 = Pj-i and Mj [5 = Pj. Define transitions ^ as follows: 

— If Ij = J_, transition tj has all its input and output places in S. Let tj = t'j. 

— If Ij = I G ini, transition removes a token from some place in Pj \ S. 
Let t' be a transition of the same neighbourhood as t'j that removes a token 
from some place pj G {p G Pj \ S Mo(p) = 1} such that no transition 
among t\, . . . , tj-\ removes tokens from pj. This is possible since, due to the 
validity of 7T in Av, \{f > 1 I If = I}\ < \{p e Pi \S | M (p) = 1}| = u(J). 
Let f,- = f'. 

We will now prove by induction on j that there are markings Mo, Mi, . . . such 
that M ==k> Mi • • • Mj and Mj [5 = Pj for every position j of 7r. 

Base case j = 1: If 7i = _L, the fact that M Q \S = P , M^ ==> M{ and that 

ti has all its input and output places in S implies that M =M> Mi for some 

Mi such that Mi\S = P\. If Ij = I G Int, then ii removes a token from some 

t> 

place pi G P/ \ 5. Again the fact that M [5 = P and Mq =^> M{ implies that 

M Mi for some Mi such that Mi \S = Pi . 

Induction step: If 7j+i = _L, the fact that Mj\S = Pj, Mj M' j+1 

and that ij + i has all its input and output places in S implies that Mj ===> 
Mj + i for some Mj + i such that Mj + \\S = Pj+i- If Ij+i = I G int, then tj + i 
removes a token from some place Pj+i G Pi\S. Again the fact that Mj \S = Pj 

and Mj =^> Mj +1 implies that M 3 =^> M J+ i for some Mj + i such that 
M j+1 \S = P j+1 . 

If 7r is a finite word, we have to prove that the run constructed above is a 
maximal finite run. Let M r be the last marking in the sequence constructed 
above. We will prove that M r does not enable any transition. Suppose some 
transition t is enabled at M r . Since M r \S G P/v, t removes a token from some 
place in Pj \ S for some variety I. Since \{j > 1 | Ij = I}\ = u(I), there are 
u(I) transition occurrences among t\, . . . ,t r that each remove a token from some 
place in Pj \ S. Since there were exactly u{I) places in Pj \ S that had a token 
in Mo and no other transition adds any token to any place in Pj \ <S, t can not 
be enabled at M r . Hence, no transition is enabled at M r . □ 

Lemma 19 implies that in order to check if M is a model of the formula 
it is enough to check that all valid runs of Ajv satisfy (f>. This can be done 
by checking that no finite valid run of A^r is accepted by A^ and no infinite 
valid run of Atf is accepted by B^. As usual, this needs a product construction. 
Automata A-,$ and B^ run on the alphabet ^{P^). Let Qa and Q B be the set 
of states of A^ and B-,,/, respectively. Then, A-,,/, = (Qa, ^(P<l>), <>A, Qoa, Fa) 
and B^ = (Q B ,^(P^),8 B ,Q 0B ,F B ). 



Definition 20. An x A^ = {Qn x Q A ,E,S^,{M Q \S} x Q 0A ,F N x F A ,u), 
An x B^ = (Qn x Q B , £,6$, {M \S} x Qq Bi Qn x Pe, - ") where 

((91,92),-?, (<?i, <?2)) G iff (<nJ,<li) G <W a«d (92,91 nPf^) £ <5.4 
((91,92),/, (91,92)) G iff(Ql,I,<l'l) G <W «^ (q 2 ,q 1 r\P (f> ,q' 2 ) £ <j B 

^4?x accepting path of An x .4_0 is a sequence (go, Qo)h(Qi, q[) ■ • ■ I r (<lr, Q r ) w/iic/i 
is 5-% -respecting: 

— (9o,9o),(9i,9i),---,(9r,9r) eQatx 

— i/ie word I\ ■ ■ ■ I r e S* witnesses the validity of the run q 9i ■ • • 9r Av f as 
in -De/. 1#) and 

— i/ie wore? (goH-P^) • • • (q r f]P^) is accepted by A^ through the run q' Q q[ ■ ■ ■ q' r q' F 
for some q' F E F A with (q' r , q r H P<f,,q' F ) £ S A . 

An accepting path of An x B-,<p is defined similarly. 

Proposition 21. yl 1-safe net J\f with initial marking M is a model of a for- 
mula <j) iff there is no accepting path in An x A-,,/, and An x B^. 

Proof. Suppose Af is a model of <j>. Hence, all maximal runs of Af satisfy <\>. We 
will prove that there is no accepting path in An x A-,^ and An x B-,^. Assume by 
way of contradiction that there is an accepting path (90, 9o)/i(9i, 9i) • ' • Ir{lr, 9r) 
in An x A^<j,. By Def. 20, qo9i • ■ • 9 r is a valid run of An- By Lemma 19, there is a 
finite maximal run MqM\ ■ ■ ■ M r of Af with Mj \S = qj for all positions < j < r. 
By Def. 20, (qo H P<j,) ■ ■ ■ (q r H P^) is accepted by A-,<f, and hence satisfies -«f>. 
Proposition 16 now implies that M M\ ■ ■ ■ M r satisfies -k/>, a contradiction. The 
argument for An x S-,^ is similar. 

Suppose Af is not a model of <j>. Suppose there is a finite maximal run 
M0M1 ■ ■ ■ M r of Af that satisfies -i<f>. By Lemma 19, there is a finite maxi- 
mal run tt' = M M{---M; such that the word (M^S) [M[ \S) ■ ■ ■ (M' r \S) is 
a valid run of An and for every position j of n', M'- \P$ = Mj \P$. By Prop. 16, 
(Mq\P < p)(M[ \P$) ■ ■ ■ {M' r \P<j,) satisfies -«j> and hence accepted by A^, say with 
the run q^q'i ■ ■ -q^a'p- Let the word I\ - ■ ■ I r G S* witness the validity of the 
run {M^\S){M[\S) ■ ■ ■ {M' r \S) in An, as in Def. 18. By Def. 20, the sequence 
(M^[P ,g o )/i(M{[P ,(7i) • ■■I r {M' r \P 4> ,q' r ) is an accepting path of An x A^. 
The argument for maximal infinite runs is similar. □ 

To efficiently check the existence of accepting paths in An x A^ and An x 
it is convenient to look at them as graphs, possibly with self loops and 
parallel edges. Let the set of states be the set of vertices of the graph and each 
transition (q,Ij,q') be an Ij-labelled edge leaving q and entering q' . If there is 
a path /x in the graph from q to q' , the number of times an edge e occurs in /x 
is denoted by /x(e). If s ^ {q, q'} is some node occurring in /x, then the number 
of edges of /x entering s is equal to the number of edges of /x leaving s. These 



conditions can be expressed as integer linear constraints. 



E E Me) = l 

e leaves q e enters t/ 

E ^)- E Me) = l (1) 

e enters q' e leaves q' 

E f i ( e ) = E ^( e ) 

e enters s e leaves s 

Lemma 22 (Theorem 2.1, [20]). In a directed graph G = (V,E) (possibly 
with self loops and parallel edges), let (j, : E — > N be a function such that the 
underlying undirected graph induced by edges e such that /i(e) > is connected. 
Then, there is a path from q to q' with each edge e occurring /t(e) times iff /i 
satisfies the constraints (1) above. 

If the beginning and the end of a path are same (i.e., if q = q'), small modi- 
fications of (1) and Lemma 22 are required. Finally we can prove our desired 
theorem. 



Theorem 23. Let TV be a 1-safe net with initial marking Mq and (f> be a MSO 
formula. Parameterized by the vertex cover number of G(Af) and the size of </>, 
checking whether M is a model of (j) is Fpt. 

Proof. By Prop. 21, it is enough to check that there is no accepting paths in 
Am x A^cf, and Am x B^. To check the existence of accepting paths in Am x B^, 
we have to check if from some initial state in {M \S} x Qob, we can reach some 
vertex in a maximal strongly connected component induced by _L-labelled edges, 
which contains some states from Qm x Fq. For every such initial state q and a 
vertex q' in such a strongly connected component, check the feasibility of (1) 
along with the following constraint for each interface /: 

E Me) < <I) (2) 

e is I— labelled 

To check the existence of accepting paths in Am x A-,</>, check the feasibility 
of (1) and (2) for every state q in {Mo \S} x Qoa and every state (Pi,q") in 
Fm x Qa with some qp S Fa such that (q", Pi n P<j,, <7_f) G 8a- If some marking 
M with M\S — Pi enables some transition removing a token from some place 
with interface /, then for each such interface, add the following constraint: 

E »(e) = u(I) (3) 

e is I— labelled 

The variables in the above Ilp instances are //(e) for each edge e. The number 
of variables in each Ilp instance is bounded by some function of the parameters. 
As Ilp is Fpt when parameterized by the number of variables [13,14,11], the 
result follows. □ 



The dependence of the running time of the above algorithm on formula size 
is non-elementary if the formula is MSO [15]. The dependence reduces to single 
exponential in case of LTL formulas [22] . The dependence on vertex cover number 
is dominated by the running time of Ilp, which is singly exponential in the 
number of its variables. The number of variables in turn depends on the number 
of VC-interfaces (Def. 14). In the worst case, this can be triply exponential but 
a given 1-safe Petri net need not have all possible VC-interfaces. 

5 Conclusion 

The main idea behind the Fpt upper bound for MSO/LTL model checking is 
the fact that the problem can be reduced to graph reachability and hence to Ilp. 
It remains to be seen if such techniques or others can be applied for branching 
time logics such as CTL. 

We have some negative results with pathwidth and benefit depth as parame- 
ters and a positive result with vertex cover number as parameter. We think it is 
a challenging problem to identify other parameters associated with 1-safe Petri 
nets for which standard problems in the concurrency literature are Fpt. Another 
direction for further work, suggested by a referee, is to check if the upper bound 
can be extended to other classes of Petri nets such as communication-free nets. 

The results of Sect. 3 proves hardness for the lowest level of the W-hierarchy. 
It remains to be seen if the lower bounds could be made tighter. The parame- 
terized classes ParaNp and Xp include the whole W-hierarchy. Lower bounds 
or upper bounds corresponding to these classes would be interesting. 
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